Vulnerability DatabaseCVE-2023-36617
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-36617
June 29, 2023
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
Affected Packages
uri (RUBY):
Affected version(s) >=0.10.0 <0.10.0.3
Fix Suggestion:
Update to version 0.10.0.3
uri (RUBY):
Affected version(s) >=0.12.0 <0.12.2
Fix Suggestion:
Update to version 0.12.2
uri (RUBY):
Affected version(s) >=0.10.1 <0.10.3
Fix Suggestion:
Update to version 0.10.3
uri (RUBY):
Affected version(s) >=0.11.0 <0.11.2
Fix Suggestion:
Update to version 0.11.2
Related Resources (24)
https://security.netapp.com/advisory/ntap-20230725-0002/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
https://security-tracker.debian.org/tracker/CVE-2023-36617
https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
https://security.netapp.com/advisory/ntap-20230725-0002
https://github.com/ruby/uri
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
https://access.redhat.com/security/cve/CVE-2023-36617
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
https://nvd.nist.gov/vuln/detail/CVE-2023-36617
https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.98